Cyber terrorism: no longer fiction; the threat of cyber terrorism became much more real after Sept. 11. Here's how states are trying to reduce the risks.

• Author: Boulard, Garry

On the morning of Sept. 11, 2001, New York Senator Michael Balboni was on his way from Long Island to deliver a lecture in midtown Manhattan when he heard about the terrorist attacks on the World Trade Center.

As a native New Yorker whose district hugs the northern shore of Long Island, across the East River from what would soon be universally known as "Ground Zero," Balboni was grief-stricken by the day's events.

But he quickly realized that the tragedy might serve as a wake-up call not only to his fellow New Yorkers, but to members of the Legislature. His earlier pleas there asking that terrorism, bioterrorism and cyber terrorism be given a legal definition had received a less than enthusiastic response.

"Before 9/11, my bill on terrorism had little or no traction in the New York Senate," says Balboni. A former senator had told him "the only weapon of mass destruction we have in New York City is the assault weapon."

In February of this year, New York Governor George Pataki signed into law the Omnibus Governors' Program Bill, which created legal definitions for a wide array of terrorist crimes. It also strengthens the authority of law enforcement to investigate and prosecute terrorists.

But it was a second measure, SB 1627, that Balboni, who currently serves as chairman of the Senate Committee on Veterans, Homeland Security and Military Affairs, particularly enjoyed seeing made into law.

That measure created a legal definition for the act of cyber terrorism in New York, making it a Class B felony to launch an attack on any local, state or federal government computer network.

"Until now, New York, like many other states, has simply not officially recognized or acknowledged what the computer experts have said is a very real threat, what they call a 'denial of service' attack," says Balboni.

WREAKING HAVOC

Simply put, a hacker or terrorist could bombard a state agency site with millions of "requests for information," thus causing the site to overload and shut down.

Similarly, an intruder--via the Internet--could potentially invade a system designed to control a city's water supply or air transportation systems and wreak havoc.

Such scenarios, to many, seem improbable. And maybe they are. "The real question is: What CAN happen?" asks Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth College. "What is it possible to do?"

In the fall of 2001, just days after the 9/11 attack, Vatis sought to answer his own question. His report, "Cyber Attacks During the War on Terrorism," was quickly scooped up and devoured by the nation's computer security community. In it, Vatis says the "potential exists for much more devastating cyber attacks following any U.S.-led retaliation to the terrorist attacks on America."

"It was the honest thing to say," Vatis now maintains. "If you study this matter at all, you quickly have to conclude that a major cyber attack on the nation's information infrastructure could very well take place. If it went the way the attackers hoped, it would probably be devastating."

For cyber security experts the advent of a major cyber attack had always centered on whether or not it was possible. The question of what was probable--as was repeatedly noted by critics--was not addressed.

WHEN THE IMPOSSIBLE HAPPENS

What happened on the morning of Sept. 11 changed that.

"If, on the day before that day, I asked you what the odds were that four people were going to hijack four planes. And three of them would hit prominent buildings and that both towers of the World Trade Center would collapse--you would have said such a risk is minimal," says Scott Charney, the chief security strategist for Microsoft.

"After Sept. 11, that very afternoon, in fact," he says, "you would have said there was a 100 percent chance that something like the attacks of that morning could occur.

The reason for the sudden change in perception, of course, is that the highly improbable did happen. But just as important was the fact that everyone saw it happen on live national television, reinforcing the very real transformation of the highly improbable into decidedly possible.

Moreover, many of those same experts believe the states should now consider information systems security as not only a necessary, but a regular part of their budgets.

"It is...